Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
0
Helpful
4
Replies

Analyzing MTU Issues

Go to solution
mmedwid
Level 3
Level 3

‎10-13-2008 12:27 PM - last edited on ‎03-09-2022 11:25 PM by Community Manager

I just resolved a VPN connectivity issue using "ip tcp adjust-mss" as noted here: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

But I used this more on a hunch than on direct evidence from the router. The symptom was that the user could ping sites on the far end of the LAN-to-LAN tunnel but he could not load the sites in a browser. These "sites" were actually printer management site and likewise the use could not print to these printers. As I have seen similar in the past my hunch was MTU issue and that did the trick.

But it took a long time to resolve this as the user was a VIP and I could not get him to test scenarios in live time. I would just hear the complaints after he went home and things didn't work as expected. My question: how could I have used the SOHO router (871 in this case) to trouble-shoot without the need for the user to be home? Maybe there is just no test like the end user really trying to do their thing. But perhaps some thoughts on how to verify MTU will not be a problem over the VPN? Or a way to emulate downloading a full web page or other test?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-13-2008 04:45 PM

"ip tcp adjust-mss" is really an efficiency option. If its application fixed an MTU issue, you have an MTU discovery processing problem. Other IP (non-TCP) packets can still be impacted. The latter, assuming the MTU discovery issue can be resolved, can be addressed using IP MTU before you get to your VPN tunnel. This isn't to say not to use "ip tcp adjust-mss".

Testing MTU should be possible using extended ping.

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mmedwid

‎10-14-2008 05:11 AM

"Could it be that my initial setting of 1452 actually made the situation worse?"

Unlikely. If starting with standard Ethernet, MSS is usually 1460 (1500 MTU less 20 bytes IP header and less 20 bytes TCP header). Your initial setting just wasn't small enough to account for all the IPSec overhead, which in the link you referenced is up to 58 bytes. I.e. maximum MSS should be about 1402. Smaller works, just not as optimal, which is why 1200 works.

Other than TCP, many other protocols don't often completely fill packets, which is probably the reason everything else works fine.

You can leave things as they are, and odds are, you'll see few in any problems. (You could also try increasing adjust-mss for sligthly better performance.) Or, you can also add IP MTU in addition to adjust-mss, or you can try to resolve the breakdown in PMTU. Even if you discover and fix the latter, adjust-mss is still good to use to avoid initial fragmentation in TCP.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-13-2008 04:45 PM

"ip tcp adjust-mss" is really an efficiency option. If its application fixed an MTU issue, you have an MTU discovery processing problem. Other IP (non-TCP) packets can still be impacted. The latter, assuming the MTU discovery issue can be resolved, can be addressed using IP MTU before you get to your VPN tunnel. This isn't to say not to use "ip tcp adjust-mss".

Testing MTU should be possible using extended ping.

0 Helpful

Go to solution
mmedwid
Level 3
Level 3
In response to Joseph W. Doherty

‎10-13-2008 05:20 PM

That's a great point on non-TCP packets. I originally had ip tcp adjust-mss 1452. And that was the broken state. When I moved it to ip tcp adjust-mss 1200 - everything that was broken was now fixed. Could it be that my initial setting of 1452 actually made the situation worse? Using ping I think the actual MTU through the pipe is 1412. But I didn't change anything with IP MTU as the things were working.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mmedwid

‎10-14-2008 05:11 AM

"Could it be that my initial setting of 1452 actually made the situation worse?"

Unlikely. If starting with standard Ethernet, MSS is usually 1460 (1500 MTU less 20 bytes IP header and less 20 bytes TCP header). Your initial setting just wasn't small enough to account for all the IPSec overhead, which in the link you referenced is up to 58 bytes. I.e. maximum MSS should be about 1402. Smaller works, just not as optimal, which is why 1200 works.

Other than TCP, many other protocols don't often completely fill packets, which is probably the reason everything else works fine.

You can leave things as they are, and odds are, you'll see few in any problems. (You could also try increasing adjust-mss for sligthly better performance.) Or, you can also add IP MTU in addition to adjust-mss, or you can try to resolve the breakdown in PMTU. Even if you discover and fix the latter, adjust-mss is still good to use to avoid initial fragmentation in TCP.

0 Helpful

Go to solution
mmedwid
Level 3
Level 3
In response to Joseph W. Doherty

‎10-14-2008 07:47 AM

Terrific information. Dang - you're good!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card